Stripping expired subkey during export?

Phil Pennock gnupg-users at
Fri Mar 3 07:21:39 CET 2017

For certain exports of my PGP key, I want the key minimized and clean of
cruft; while the public keyservers will reaccumulate all signatures,
data-sources where "presence is trust" do not need everything else.
Smaller keys for DNS records, certain authenticated databases, etc.

I also recently updated my key 0x4D1E900E14C1CC04 to use sha256 for all
bindings (by doing a pref update).

  gpg --export-options export-clean,export-minimal \
      --export 0x4D1E900E14C1CC04 | gpg --list-packets | less

All but one signature is `digest algo 8`.  One is still `digest algo 2`.
That's for keyid `A445DC2B1C5B7F39` which is _expired_.

  gpg (GnuPG) 2.1.19
  libgcrypt 1.7.6

Why is `export-clean` not dropping the expired subkey?  Is it that
export-clean only filters unusable userids, not unusable subkeys?

At this point, I'm not trying to remove the subkey because it's SHA1,
but because it has expired.

Since I already create a temp keyring (for export variants which drop
25519 sub-keys, to give to systems which break on those), I decided that
I could apply an import-filter on that, since sig_digest_algo is
import-only, so I used:

  --import-filter drop-sig='sig_digest_algo < 8'

and then exported clean/minimal from there; but there's no change.  This
import filter appears to do nothing.

Is this misunderstanding on my part, or a bug in GnuPG?  If the former,
is there enough here to point to the flaw in my mental model, so that
someone can educate me please?

Is there a reason beyond "nobody asked for it yet" why there's no
"expired" filter for drop-subkey/drop-sig?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 996 bytes
Desc: Digital signature
URL: </pipermail/attachments/20170303/1face25b/attachment.sig>

More information about the Gnupg-users mailing list